btrfs-progs: crypto: add openssl as crypto provider
https://www.openssl.org/ Is a well known cryptography library and since freshly released version 3.2 it also supports variable digest size of blake2b, so we can now add it among the crypto providers. Configure with --with-crypto=openssl. Signed-off-by: David Sterba <dsterba@suse.com>
This commit is contained in:
David Sterba
parent
5221aedc00
commit
32880fa518
7
.github/workflows/ci-build-test.yml
vendored
7
.github/workflows/ci-build-test.yml
vendored
|
|
@ -87,3 +87,10 @@ jobs:
|
|||
- uses: actions/checkout@v3
|
||||
- name: CI Tumbleweed (Botan)
|
||||
run: ci/ci-build-tumbleweed HEAD --with-crypto=botan
|
||||
check-tumbleweed-openssl:
|
||||
name: CI Tumbleweed (OpenSSL)
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: CI Tumbleweed (OpenSSL)
|
||||
run: ci/ci-build-tumbleweed HEAD --with-crypto=openssl
|
||||
|
|
|
|||
1
INSTALL
1
INSTALL
|
|
@ -22,6 +22,7 @@ dependencies are not desired.
|
|||
- libsodium >= 1.0.4
|
||||
- libkcapi >= 1.0.0
|
||||
- Botan >= 2.19.0
|
||||
- OpenSSL >= 3.2.0
|
||||
|
||||
Optionally, multipath device detection requires libudev and running udev
|
||||
daemon, as it's the only source of the path information. Static build has a
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ PYTHON_BINDINGS = @PYTHON_BINDINGS@
|
|||
PYTHON = @PYTHON@
|
||||
PYTHON_CFLAGS = @PYTHON_CFLAGS@
|
||||
CRYPTOPROVIDER_BUILTIN = @CRYPTOPROVIDER_BUILTIN@
|
||||
CRYPTO_CFLAGS = @GCRYPT_CFLAGS@ @SODIUM_CFLAGS@ @KCAPI_CFLAGS@ @BOTAN_CFLAGS@
|
||||
CRYPTO_CFLAGS = @GCRYPT_CFLAGS@ @SODIUM_CFLAGS@ @KCAPI_CFLAGS@ @BOTAN_CFLAGS@ @OPENSSL_CFLAGS@
|
||||
|
||||
HAVE_CFLAG_msse2 = @HAVE_CFLAG_msse2@
|
||||
HAVE_CFLAG_msse41 = @HAVE_CFLAG_msse41@
|
||||
|
|
@ -37,7 +37,7 @@ SUBST_LDFLAGS = @LDFLAGS@
|
|||
LIBS_BASE = @UUID_LIBS@ @BLKID_LIBS@ @LIBUDEV_LIBS@ -L. -pthread
|
||||
LIBS_COMP = @ZLIB_LIBS@ @LZO2_LIBS@ @ZSTD_LIBS@
|
||||
LIBS_PYTHON = @PYTHON_LIBS@
|
||||
LIBS_CRYPTO = @GCRYPT_LIBS@ @SODIUM_LIBS@ @KCAPI_LIBS@ @BOTAN_LIBS@
|
||||
LIBS_CRYPTO = @GCRYPT_LIBS@ @SODIUM_LIBS@ @KCAPI_LIBS@ @BOTAN_LIBS@ @OPENSSL_LIBS@
|
||||
STATIC_LIBS_BASE = @UUID_LIBS_STATIC@ @BLKID_LIBS_STATIC@ -L. -pthread
|
||||
STATIC_LIBS_COMP = @ZLIB_LIBS_STATIC@ @LZO2_LIBS_STATIC@ @ZSTD_LIBS_STATIC@
|
||||
|
||||
|
|
|
|||
|
|
@ -124,7 +124,7 @@ functions is provided by copies of the respective sources to avoid adding
|
|||
dependencies that would make deployments in rescue or limited environments
|
||||
harder. The implementations are portable and there are optimized versions for
|
||||
some architectures. Optionally it's possible to use libgcrypt, libsodium,
|
||||
libkcapi or Botan implementations.
|
||||
libkcapi, Botan or OpenSSL implementations.
|
||||
|
||||
* CRC32C: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
|
||||
* XXHASH: https://github.com/Cyan4973/xxHash
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ RUN zypper install -y --no-recommends glibc-devel-static libblkid-devel-static \
|
|||
|
||||
RUN zypper install -y --no-recommends gcc13
|
||||
RUN zypper install -y --no-recommends libgcrypt-devel libsodium-devel libkcapi-devel \
|
||||
libbotan-devel
|
||||
libbotan-devel libopenssl-3-devel
|
||||
|
||||
COPY ./test-build .
|
||||
COPY ./run-tests .
|
||||
|
|
|
|||
10
configure.ac
10
configure.ac
|
|
@ -236,7 +236,7 @@ if test "$DISABLE_BTRFSCONVERT" = 0 && test "x$convertfs" = "x"; then
|
|||
fi
|
||||
|
||||
AC_ARG_WITH([crypto],
|
||||
AS_HELP_STRING([[[]--with-crypto[[=builtin]]]], [provider of cryptographic primitives: builtin, libgcrypt, libsodium, libkcapi, botan]),
|
||||
AS_HELP_STRING([[[]--with-crypto[[=builtin]]]], [provider of cryptographic primitives: builtin, libgcrypt, libsodium, libkcapi, botan, openssl]),
|
||||
[], [with_crypto=builtin]
|
||||
)
|
||||
|
||||
|
|
@ -247,6 +247,7 @@ CRYPTOPROVIDER_LIBGCRYPT=0
|
|||
CRYPTOPROVIDER_LIBSODIUM=0
|
||||
CRYPTOPROVIDER_LIBKCAPI=0
|
||||
CRYPTOPROVIDER_BOTAN=0
|
||||
CRYPTOPROVIDER_OPENSSL=0
|
||||
if test "$with_crypto" = "builtin"; then
|
||||
cryptoprovider="builtin"
|
||||
CRYPTOPROVIDER_BUILTIN=1
|
||||
|
|
@ -270,6 +271,11 @@ elif test "$with_crypto" = "botan"; then
|
|||
PKG_CHECK_MODULES(BOTAN, [botan-2 >= 2.19.0])
|
||||
CRYPTOPROVIDER_BOTAN=1
|
||||
cryptoproviderversion=`${PKG_CONFIG} botan-2 --modversion`
|
||||
elif test "$with_crypto" = "openssl"; then
|
||||
cryptoprovider="openssl"
|
||||
PKG_CHECK_MODULES(OPENSSL, [libcrypto >= 3.2.0])
|
||||
CRYPTOPROVIDER_OPENSSL=1
|
||||
cryptoproviderversion=`${PKG_CONFIG} libcrypto --modversion`
|
||||
else
|
||||
AC_MSG_ERROR([unrecognized crypto provider: $with_crypto])
|
||||
fi
|
||||
|
|
@ -283,6 +289,8 @@ AC_SUBST([CRYPTOPROVIDER_LIBKCAPI])
|
|||
AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_LIBKCAPI],[$CRYPTOPROVIDER_LIBKCAPI],[Use libkcapi])
|
||||
AC_SUBST([CRYPTOPROVIDER_BOTAN])
|
||||
AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_BOTAN],[$CRYPTOPROVIDER_BOTAN],[Use Botan])
|
||||
AC_SUBST([CRYPTOPROVIDER_OPENSSL])
|
||||
AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_OPENSSL],[$CRYPTOPROVIDER_OPENSSL],[Use OpenSSL])
|
||||
AC_DEFINE_UNQUOTED([CRYPTOPROVIDER],["$cryptoprovider"],[Crypto implementation source name])
|
||||
|
||||
AX_CHECK_DEFINE([linux/fiemap.h], [FIEMAP_EXTENT_SHARED], [],
|
||||
|
|
|
|||
|
|
@ -202,6 +202,8 @@ int main(int argc, char **argv) {
|
|||
.cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_LIBKCAPI + 1 },
|
||||
{ .name = "SHA256-botan", .digest = hash_sha256, .digest_size = 32,
|
||||
.cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_BOTAN + 1 },
|
||||
{ .name = "SHA256-openssl", .digest = hash_sha256, .digest_size = 32,
|
||||
.cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_OPENSSL + 1 },
|
||||
{ .name = "SHA256-NI", .digest = hash_sha256, .digest_size = 32,
|
||||
.cpu_flag = CPU_FLAG_SHA, .backend = CRYPTOPROVIDER_BUILTIN + 1 },
|
||||
{ .name = "BLAKE2-ref", .digest = hash_blake2b, .digest_size = 32,
|
||||
|
|
@ -214,6 +216,8 @@ int main(int argc, char **argv) {
|
|||
.cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_LIBKCAPI + 1 },
|
||||
{ .name = "BLAKE2-botan", .digest = hash_blake2b, .digest_size = 32,
|
||||
.cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_BOTAN + 1 },
|
||||
{ .name = "BLAKE2-openssl", .digest = hash_blake2b, .digest_size = 32,
|
||||
.cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_OPENSSL + 1 },
|
||||
{ .name = "BLAKE2-SSE2", .digest = hash_blake2b, .digest_size = 32,
|
||||
.cpu_flag = CPU_FLAG_SSE2, .backend = CRYPTOPROVIDER_BUILTIN + 1 },
|
||||
{ .name = "BLAKE2-SSE41", .digest = hash_blake2b, .digest_size = 32,
|
||||
|
|
|
|||
|
|
@ -490,6 +490,14 @@ static const struct hash_testspec test_spec[] = {
|
|||
.cpu_flag = CPU_FLAG_NONE,
|
||||
.hash = hash_sha256,
|
||||
.backend = CRYPTOPROVIDER_BOTAN + 1
|
||||
}, {
|
||||
.name = "SHA256-openssl",
|
||||
.digest_size = 32,
|
||||
.testvec = sha256_tv,
|
||||
.count = ARRAY_SIZE(sha256_tv),
|
||||
.cpu_flag = CPU_FLAG_NONE,
|
||||
.hash = hash_sha256,
|
||||
.backend = CRYPTOPROVIDER_OPENSSL + 1
|
||||
}, {
|
||||
.name = "SHA256-NI",
|
||||
.digest_size = 32,
|
||||
|
|
@ -538,6 +546,14 @@ static const struct hash_testspec test_spec[] = {
|
|||
.cpu_flag = CPU_FLAG_NONE,
|
||||
.hash = hash_blake2b,
|
||||
.backend = CRYPTOPROVIDER_BOTAN + 1
|
||||
}, {
|
||||
.name = "BLAKE2-openssl",
|
||||
.digest_size = 32,
|
||||
.testvec = blake2b_256_tv,
|
||||
.count = ARRAY_SIZE(blake2b_256_tv),
|
||||
.cpu_flag = CPU_FLAG_NONE,
|
||||
.hash = hash_blake2b,
|
||||
.backend = CRYPTOPROVIDER_OPENSSL + 1
|
||||
}, {
|
||||
.name = "BLAKE2-SSE2",
|
||||
.digest_size = 32,
|
||||
|
|
|
|||
|
|
@ -235,3 +235,56 @@ int hash_blake2b(const u8 *buf, size_t len, u8 *out)
|
|||
}
|
||||
|
||||
#endif
|
||||
|
||||
#if CRYPTOPROVIDER_OPENSSL == 1
|
||||
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
void hash_init_accel(void)
|
||||
{
|
||||
crc32c_init_accel();
|
||||
}
|
||||
|
||||
int hash_sha256(const u8 *buf, size_t len, u8 *out)
|
||||
{
|
||||
EVP_MD_CTX *ctx = NULL;
|
||||
|
||||
if (!ctx) {
|
||||
ctx = EVP_MD_CTX_new();
|
||||
if (!ctx) {
|
||||
fprintf(stderr, "HASH: cannot instantiate sha256\n");
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
EVP_DigestInit(ctx, EVP_sha256());
|
||||
EVP_DigestUpdate(ctx, buf, len);
|
||||
EVP_DigestFinal(ctx, out, NULL);
|
||||
/* EVP_MD_CTX_free(ctx); */
|
||||
return 0;
|
||||
}
|
||||
|
||||
int hash_blake2b(const u8 *buf, size_t len, u8 *out)
|
||||
{
|
||||
EVP_MD_CTX *ctx = NULL;
|
||||
size_t digest_size = 256 / 8;
|
||||
const OSSL_PARAM params[] = {
|
||||
OSSL_PARAM_size_t("size", &digest_size),
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
if (!ctx) {
|
||||
ctx = EVP_MD_CTX_new();
|
||||
if (!ctx) {
|
||||
fprintf(stderr, "HASH: cannot instantiate sha256\n");
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
EVP_DigestInit_ex2(ctx, EVP_blake2b512(), params);
|
||||
EVP_DigestUpdate(ctx, buf, len);
|
||||
EVP_DigestFinal(ctx, out, NULL);
|
||||
/* EVP_MD_CTX_free(ctx); */
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -133,6 +133,9 @@ build_make_targets
|
|||
conf='--with-crypto=botan'
|
||||
build_make_targets
|
||||
|
||||
conf='--with-crypto=openssl'
|
||||
build_make_targets
|
||||
|
||||
# Old architectures
|
||||
conf='--with-crypto=builtin'
|
||||
buildme_cflags '-march=core2'
|
||||
|
|
|
|||
|
|
@ -37,6 +37,7 @@ buildme libgcrypt
|
|||
buildme libsodium
|
||||
buildme libkcapi
|
||||
buildme botan
|
||||
buildme openssl
|
||||
|
||||
echo "VERDICT:"
|
||||
echo "$verdict"
|
||||
|
|
|
|||
Loading…
Reference in a new issue